Author: Victor Sandin
On 12 April, Infoblox observed a malicious email campaign distributing Formbook malware via Microsoft Office documents containing malicious macros. Emails in this campaign lure victims into opening a spoofed purchase invoice from Hyundai, and into enabling macros to access the document’s content.
Infoblox has reported on Formbook campaigns several times in the past;1,2,3 they have had common patterns of financial-themed lures and other urgent topics such as the Coronavirus.
Formbook is a well-known infostealer and form grabber malware that is sold as malware-as-a-service4 (MaaS) in underground forums. Its capabilities include evasion techniques such as process hollowing, webform hijacking, keylogging and clipboard monitoring, as well as communication with a command and control (C&C) server.
In this campaign, victims received an email urging them to open the attached purchase invoice with the subject line PI Payment. The file attachment was a Microsoft Excel spreadsheet (XLS) containing a malicious macro that connects to threat actors C&C servers and downloads Formbook malware.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.